

Administrator 
108 



Network 
103 



Server computer 104 



DMBS 105 



Access 
control 
policy 
107 



Access 
Control 200 





100 

FIG. 1 



Path generator 202 
Translator 300 



- A/alueexpressign 
generator 302 

Path table 
204 



Access Control 200 



FIG. 2 



Receive access control policy for a collection 
304 




r 


Generate a path for each node in the node tree 
representing a document in the collection 
306 




r 


Generate a value expression for each path 
308 






f 






Store paths and corresponding 
value expressions in path table 
310 





FIG. 3 



Normalize rules 
402 



I 



Generate condition table 
404 



I 



Prorogate and hcombTne ^normalized rules 
406 




FIG. 4 



ConditionID 
502 


Condition Expression 

Jvt t 


CI 


equal($Group 3 Admin) & 
xpath(/bib/book[f3).title="secunty"]) 


C2 





500 



FIG. 5 



Path 602 


Value Expression 604 


/bib 


[$User='Murata' or $User='Seki' or 

*TIser='Tozawa'l 

[SUser-'Murata'] 


/bib/@ver . 

/bib/text() _ , 

/bib/book 

/bib/book/textO 
/bib/book/(2).vear 
/bib/book/title 
/hih/bonk/title/text() 


pKITser-'Murata' or SUser^SgkiJ 

[($User='Murata' or $User=Tozawa') and 

not($User='Hada')] — — — rrj — 

r$User~'Murata' and notCSUser- Hada )J __ 
r$User-'Murata' and notCSUser- Hada )] 

if !p then freftl, ■■/)] 

if !p then [reft 1 , . ./. ./)] . 1 



600 



FIG. 6 



Request access to a node in a document 
702 



Evaluate value expression corresponding to node in path table 

704 




Go to next requested node 
712 



700 

FIG. 7 



